Articles about digital certificates

RIP HPKP: Google abandons public key pinning

Google is abandoning a next-generation web crypto technology it initially championed. HTTP Public Key Pinning (HPKP) is a standard that allows a host to instruct browsers to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, the technology was open …
John Leyden, 30 Oct 2017
Certified and rejected stamps

Microsoft bins unloved Chinese cert shops

Microsoft's decided not to support digital certificates issued by Chinese outfits WoSign and StartCom, but the first-mentioned CA disputes the decision. Google, Apple and Mozilla binned WoSign certs in 2016. Microsoft says it has now “... concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed …
Simon Sharwood, 10 Aug 2017
Woman with "crying with laughter" emoji for a head... photo by Shutterstock

Symantec offloads its certs and web security biz to DigiCert

Symantec sold its Website Security and related PKI solutions to DigiCert, effectively making its spat with Mozilla and Google someone else's problem. Google had problems with the way Symantec handles certificates since 2015 and their dispute flared anew early this year after a Symantec partner issued dodgy certs. Google …
dunce_cap_648

Mozilla takes a turn slapping Symantec's certification SNAFU

Mozilla has weighed in to the ongoing Symantec-Google certificate spat, telling Symantec it should follow the Alphabet subsidiary's advice on how to restore trust in its certificates. Readers will recall that Symantec has repeatedly issued certs that didn't ring true with browser-makers and at the end of April 2017 Google …
Digital feet, photo via Shutterstock

GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug

GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug. El Reg learnt of the cock-up from readers affected by the issue, who forwarded notification emails (extract below). Due to a software bug, the recently issued certificate for your domain was issued without …
John Leyden, 11 Jan 2017

Stuxnet-style code signing of malware becomes darknet cottage industry

Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor. In one case, a hacker tricked a legitimate certificate authority into issuing digital …
John Leyden, 4 Nov 2015

Symantec fires staff caught up in rogue Google SSL cert snafu

Symantec has fired some employees after Google engineers noticed rogue SSL certificates issued in the web goliath's name. Thawte, Symantec's certificate authority subsidiary, produced a small number of security certificates intended for internal testing. Worryingly, in the wrong hands, these certificates could have been used …
John Leyden, 21 Sep 2015
Printed key

SHA-1 crypto hash retirement fraught with problems

The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn. SHA-1 is a hashing (one-way) function that converts information into a shortened "message digest", from which it is impossible to recover the original information. This hashing technique is used in …
John Leyden, 30 Apr 2015
Printed key

French gov used fake Google certificate to read its workers' traffic

A French government agency has been caught signing SSL certificates and impersonating Google. The bogus certificates were endorsed by the certificate authority of the French Treasury, DG Trésor. And the Treasury's own authorisation certificate was, in turn, vouched for by IGC/A (Infrastructure de Gestion de la Confiance de l' …
John Leyden, 10 Dec 2013
The Register breaking news

MS squashes 0day bug in July Patch Tuesday

Microsoft has patched an under-attack zero-day vulnerability in XML Core Services as part of the July edition of Patch Tuesday. The critical security update (MS12-043) addresses a security flaw that has made its way into the Blackhole Exploit toolkit since its discovery last month. A further two critical updates cover a …
John Leyden, 11 Jul 2012
The Register breaking news

Trustwave to escape 'death penalty' for SSL skeleton key

Analysis Trustwave's admission that it issued a digital "skeleton key" that allowed an unnamed private biz to spy on SSL-encrypted connections within its corporate network has sparked a fiery debate about trust on the internet. Trustwave, an SSL certificate authority, confessed to supplying a subordinate root certificate as part of an …
John Leyden, 14 Feb 2012
The Register breaking news

Comodo admits 2 more resellers pwned in SSL cert hack

Comodo has admitted a further two registration authorities tied to the digital certificates firm were hit by a high-profile forged digital certificate attack earlier this month. No forged certificates were issued as a result of the assault on victims two and three of the attack, but confirmation that multiple resellers in the …
John Leyden, 30 Mar 2011
The Register breaking news

Comodo-gate hacker brags about forged certificate exploit

An Iranian hacker has stepped forward to claim responsibility for the SSL certificate hack against Comodo, providing an insight into how the high-profile hack might have been pulled off. The lock-picker – who claimed he had "1,000 times" the experience of any hacker or programmer – asserted that after compromising Comodo's …
John Leyden, 28 Mar 2011

Create a news alert about digital certificates, or find more stories about digital certificates.

Biting the hand that feeds IT © 1998–2017